The present invention generally relates to a one-time password (OTP) authentication system and method, and more particularly, to an OTP wireless authentication system and method using a mobile communication terminal having a near field communication (NFC) function which are capable of performing OTP authentication using a mobile communication terminal having an NFC function and an OTP generator including a communication function corresponding to the NFC.
The popularization of the Internet, resulting from increased internet speed, has introduced various kinds of online business transactions (such online business transactions are typically referred to as “electronic commerce”) and membership systems for providing and sharing various kinds of information are being generalized. For electronic commerce and membership registration, various kinds of private information are required to be registered on an internet server that provides some service. In order to protect such private information, each service server sets an ID and password unique to a user and allows user information to be checked, amended, and changed only when an input ID and password are identical to a pre-stored ID and password.
Since an ID and fixed password authentication scheme has a limitation in that IDs and passwords are easily exposed, however, it is difficult to protect private information stored in internet servers using only IDs and passwords. In order to improve on such an existing authentication method, an authentication certificate, a one-time password (OTP) scheme, etc., are being applied in combination.
However, the authentication certificate scheme has a limitation in that once an authentication certificate and a password thereof are exposed, a user may directly suffer monetary damage.
In order to respond to the deficiencies of the ID/password scheme and the authentication certificate scheme, recently introduced is an OTP authentication scheme, in which an OTP is generated using an OTP generator (e.g. a token type or card type, etc.) separately carried by a user, and authentication is performed using the OTP, without a high security password for user authentication or payment message authentication remembered by the user or stored in a service terminal.
FIG. 1 illustrates the configuration of a typical dedicated card-type OTP generator, and FIG. 2 illustrates the configuration of a card-type OTP generator combined with a financial card.
Typically, the dedicated card-type OTP generator 1 includes an OTP generation unit 20 contained in a card 10.
The OTP generator 20 includes a button 21 for generating an OTP generation request signal 21, a micro control unit (MCU) 22 for generating an OTP when the OTP generation request signal is input, a display unit 23 for displaying the generated OTP, and a battery 24 for supplying driving power to the button 21, the MCU 22, and the display unit 23. A method for generating the OTP is disclosed in an HMAC-Based OTP Algorithm (RFC4226), a Time-based OTP (TOPT) Algorithm (RFC6238), and an OATH Challenge/Response Algorithms (OCRA) Specification (RFC6287), and accordingly a description thereof will be omitted.
The financial card combined-type OTP generator 1 includes an OTP generating unit 20, for generating and displaying an OTP, and a financial processing unit 30, for storing typical financial card information and performing a financial process such as provision of the financial card information in response to reception of a wireless signal. The financial processing unit 30 includes an antenna 32 for receiving a wireless signal transmitted from a near field communication (NFC) module of a mobile communication terminal, such as a smartphone, or a wireless signal for requesting the financial card information from a typical card reader and wirelessly transmitting a response signal including the financial card information corresponding to the received wireless signal, and a financial process control unit 31 for transmitting pre-stored financial card information through the antenna 32 when the wireless signal is received through the antenna 32. The financial processing control unit 31 is configured with a chip on board (COB).
The OTP generating unit 20 and the financial processing unit 30 are respectively configured to operate separately, as illustrated in FIG. 2.
As the foregoing, various types of OTP generators are developed and used for services such as high-value transactions or transfers, etc., around the financial world, but the generated OTP is required to be input within a certain time, which causes user inconvenience.
In addition, since it is available to anyone merely by pressing a button, a typical OTP generator may be illegally used by a third party when lost.
In addition, a typical OTP generator has a usage limitation in that a user may not use it when a fault occurs, even only in a part thereof. Since such an OTP is frequently used in financial transactions, the occurrence of usage limitations attributable to such faults may cause significant monetary loss to a user.
In addition, in an OTP authentication system using an existing OTP generator, when a user inputs an OTP into a web service site accessed through a user authentication terminal such as a computer, the OTP may be exposed by memory hacking.